Microsoft says IE 6, 7, and 8 vulnerable to remote code execution

Attack on users who visited the Council of Foreign Relations website discovered.

On Saturday, Microsoft published a security advisory warning users of Internet Explorer 6, 7, and 8 that they could be vulnerable to remote code execution hacks. The company said that users of IE 9 and 10 were not susceptible to similar attacks and recommended that anyone using the older browsers upgrade. Still, customers who still run Windows XP can not upgrade to IE 9 and 10 without upgrading their OS.

Microsoft's confirmation comes after reports from several security groups that the attack sprung from the Council of Foreign Relations website, creating a “watering hole attack” that left people who visited the site through older versions of the browser open to further attack.

The company has released a workaround for the problem, and said that it is working on a patch for IE 6, 7, and 8, but did not give a time period as to when those patches would be released. The Council of Foreign Relations told The Washington Free Beacon that it was investigating the situation and working to prevent security breaches like this down the line.

According to The Next Web, the CFR website was compromised with JavaScript that served malicious code to older IE browsers whose language was set to “English (US), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian.” The code then created a heap-spray attack using Adobe Flash Player.

While some reports claim that the attack was traced to Chinese hackers, this is unconfirmed. Computerworld describes the hack as highly targeted, however: “In a watering hole campaign, hackers identify their intended targets, even to the individual level, then scout out which websites they frequently visit. Attackers next compromise one or more of those sites, plant malware on them, and like a lion waits at a watering hole for unwary wildebeests, wait for unsuspecting users to surf there.”

Computerworld also points out that this vulnerability is similar in timing to a vulnerability that occurred December 28 last year, which Ars reported as having compromised a long list of technologies, including Microsoft's ASP.NET. Microsoft then published a workaround for ASP.NET website admins in the wake of the discovery of the exploit.

Who uses Internet explorer 6,7,8 anymore. Enterprise users should not be getting on the internet if the enterprise insists on using IE6, 7 or 8. IE 10 is the current version, if people insist on using outdated browsers, they should stay away from the internet.

Who uses Internet explorer 6,7,8 anymore. Enterprise users should not be getting on the internet if the enterprise insists on using IE6, 7 or 8. IE 10 is the current version, if people insist on using outdated browsers, they should stay away from the internet.

Who uses Internet explorer 6,7,8 anymore. Enterprise users should not be getting on the internet if the enterprise insists on using IE6, 7 or 8. IE 10 is the current version, if people insist on using outdated browsers, they should stay away from the internet.

We're required to run IE8 on 2000+ machines per requirements from partner companies.

I don't mind paying for long-term support. Just because Microsoft published an operating system 11 years ago, doesn't necessarily mean I'm entitled to security updates forever.

What I mind is the requirement that I accept the changes they publish which are not necessary for compatibility and security. I delayed my upgrade to Windows 7 as long as possible and have been running it for a year now. I would go back to NT 4 if I could do so without sacrificing security, modern hardware support and DirectX updates. I would even pay more than the regular upgrade price for this service. I bet a lot of IT departments feel the same way, given the training costs associated with UI changes.

If Microsoft continues to pursue these tactics they are going to over-leverage themselves and lose their position in the market.

The term "Heap Spray" is also not in my lexicon, although my wife sometimes uses a deodorising spray after our dogs leave a mess on the carpet.

That would take up more space than the complete article and would involve lots of secondary and tertiary explanations first. Most people who'd understand the attack after a footnote already know what it is, I agree that a link to some explanation would've been a good idea though for the people who are interested (the wiki article could be better)

Internet explorer is very slow. Only using if need to download the chrome for the first time.

What version of IE? Is it "very" or "marginally" slower? What benchmark are you referring to? This is the Ars community. Not trying to ride the high horse but generally speaking we expect posters to back up their claims, especially when they speak in sweeping generalizations.

Internet explorer is very slow. Only using if need to download the chrome for the first time.

What version of IE? Is it "very" or "marginally" slower? What benchmark are you referring to? This is the Ars community. Not trying to ride the high horse but generally speaking we expect posters to back up their claims, especially when they speak in sweeping generalizations.

I cannot blame Microsoft for not allowing IE9 on Windows XP. Apple does not even come close to that kind of long term support. The trouble is that those who choose not to spend money and upgrade have no excuse anymore. XP has long gone and we are now two OS generations past XP. How long can anyone make up reasons not to at least upgrade to Windows 7? After all IT should know that Windows 7 has a XP mode and so you can run XP software on it. Even Google and Mozilla have said XP support is not forever. The problem is Microsoft needed to draw a line sooner and it never did. Blame enterprise or netbooks or just poor PC users. But XP's lifespan was extended way too long.

Attacks happen on all platforms and browsers. People pick on IE because they like to pick on Microsoft.Anyone using IE6 has more problems then using a outdated browser. You have to wonder if they are even doing security updates properly? In fact you should see nobody using IE 6 and IE7 should be down to minimal status. As with any attack its focused on number of potential targets. IE is still popular and its has more potential to be attacked then Chrome or Firefox because of its close connection to the OS. Even more reason to stay updated on OS security updates and using the latest IE browser. Given that fact I cannot fathom why enterprise does not focus on upgrading in a timely manor for security reasons alone?

"Guys, I think I've figured how to get people off the old browsers - I have developed a browser vulnerability development platform".

"But your platform appears to have some vulnerabilities and back-doors".

I would be keen to have someone explain a "watering hole attack" using words that do not involve lions, hyenas or tigers (in Africa?).

The term "Heap Spray" is also not in my lexicon, although my wife sometimes uses a deodorising spray after our dogs leave a mess on the carpet.

In simple terms...A heap is memory set aside for temporary uses.A pointer is a memory address that is used as a stepping stone to another programA heap spray puts copies of a pointer to the virus program all over the heap this allows random use of locations in the heap to be very likely a use of a virus pointer

A watering hole attack can also be described as a taxi stand attack. You know that your target will want a taxi, so you get yourself a taxi and park near a cabstand your target likes to use. When your target wants a cab, you are waiting to pick them up.

In practice they hire enough thugs to drive a fleet of taxis and attack everyone using that cabstand

You know it's a browser article when the -1 votes outnumber the +1 votes by 2:1.

IE 8 is the default browser in Windows 7, so 7 can be affected if you're one of those organizations that isn't going to IE 9 for some reason (like mine, for inexplicable and depressing reasons). It's quite a messy situation for XP users though, since they have no real answer until a patch comes out. Of course at this point XP users really need to get off XP, but saying that doesn't make it happen. Hopefully at this point every organization at least has a plan to do so.

I have to wonder what these malware writers are going to do when we finally kick Flashplayer to the curb and close off so many easy avenues of attack? I guess they're going to have to attack HTML5 engines instead? The downside there is that your attack becomes browser specific by default, not just because you're hoping people are stuck on outdated versions of IE.

Internet explorer is very slow. Only using if need to download the chrome for the first time.

What version of IE? Is it "very" or "marginally" slower? What benchmark are you referring to? This is the Ars community. Not trying to ride the high horse but generally speaking we expect posters to back up their claims, especially when they speak in sweeping generalizations.

I can't speak to IE9/10, as I do not have access to those... but frankly, I would opine that anyone who is still using Windows XP and/or IE8 will almost certainly hold the same opinions of IE as Chunhua. As a web developer myself, I would of course want to offer anecdotal evidence by saying that I have personally written code (DOM manipulation in an Ajax WebApp) which utterly brings IE8 to a crawl, even while it runs instantaneously in Firefox/Chrome/Safari. However, you clearly are not interested in anecdotes; so speaking more objectively for your benefit... there are various browser "benchmarking" tools out there, and I just ran a couple of them on the antique XP box on my desk at work:

* Peacekeeper, gives me a score of 94 in IE8 and a score of 769 in Firefox 17. (Higher is better in this test.)

* SunSpider gives me a score of 9879ms in IE8 and a score of 487.9ms in Firefox 17. (Lower is better in this test.)

In addition to that, some benchmarks won't even run successfully in IE at all, such as Google's "Octane" and RoboHornet benchmark tools.

Who uses Internet explorer 6,7,8 anymore. Enterprise users should not be getting on the internet if the enterprise insists on using IE6, 7 or 8. IE 10 is the current version, if people insist on using outdated browsers, they should stay away from the internet.

All the small businesses, governments, and corporations that have custom software running on past iterations of Internet Explorer that cost tens of millions of dollars to develop, deploy, and support. That is who.

Who uses Internet explorer 6,7,8 anymore. Enterprise users should not be getting on the internet if the enterprise insists on using IE6, 7 or 8. IE 10 is the current version, if people insist on using outdated browsers, they should stay away from the internet.

IE 10 isn't an official release on Windows 7 yet. Most people I know in the corporate environment (still the largest user base, IIRC) either have no plans to upgrade to WIn8 anytime soon unless they skipped 7 and Vista and simply have no choice anymore, or finally have the budget to upgrade- something a lot of people seem to ignore. Even a small(ish) 2000 seat shop is going to be a couple million just for the hardware even if they go fairly cheap at $1000 per machine. Getting that approved is not a trivial process.

Honestly, the primary reason we continue to use IE (we use 8 @ work) is because we have to support a couple dozen sites that continue to utilize ActiveX controls to do what they do. Perhaps a third of those work properly under IE 9, much less 10.

Chrome at least has an MSI installer, but still hasn't stopped it's malware-like installation process, and the frankly mule headed refusal of the Firefox devs to even provide an MSI... ugh. It leaves IT with the hoops you need to jump through just to deploy it en-mass are unacceptable, so they're never going to make any inroads in the one segment they need to (enterprise) to get more people in the segment they supposedly do (home, consumer, enthusiast). IE gets used because it comes with Windows, but also because people use it at work, so they're comfortable with it. Until something bad happens, they'll keep on using it.

IE it is then, except for the handful of users who actually have to visit those sites who have taken it upon themselves to only adhere to the latest standards and offer nothing for people who may be stuck with older tech. I get what they're trying to do, but it isn't working; people generally won't install a new browser for a site or two, and it's a bit arrogant to think they will.

To me it's like refusing to allow old cars on the road because they have bias ply tires or 6 volt electrical systems.

It's always amusing to me to see that the conventional wisdom among IT professionals still holds today just as it did 30 years ago: Separately give ten IT professionals one problem and you'll get eight different solutions, one of which will completely break the system and at least two which, if implemented together, would result in disaster.

I read a lot about folks at an Enterprise level writing about their systems requiring the use of IE in order to run mission-critical applications. That got me thinking - how many development tools require a particular brand of program be installed in order to run as opposed to an already installed functionality? For example, Word Perfect requires a printer to be installed before it will run (at least in some of the older versions). It didn't care what BRAND of printer it was. But way too many programs demand IE, rather than just a browser with certain capabilities.

I noticed InstallShield doesn't have a "default web browser" option, but only IE as an option for web access. This pervasiveness in requiring a particular browser BRAND rather than just basic capabilities should be examined, IMHO. After all, if the antitrust suit was to break MS away from the browser, why do so many installers and developers focus on an MS brand browser? Consistency only requires capability and functionality - not brand.

The point is, if Enterprise is relying on an outdated browser BRAND for mission-critical systems rather than relying on updated, more secure functionality and capability in general, then it's up to Enterprise to express its desire to break away from IE and make IDE developers take a wider view of what functionality is available in the browser world.

IE 10 is the current version, if people insist on using outdated browsers, they should stay away from the internet.

IE10 is years behind every other browser in modern standards and practices so, yes, no one should be using IE10 either and upgrade to Firefox or Chrome or Opera or ANYTHING else.

It's no longer the 90s, Microsoft is no longer the evil empire. Go troll Apple or Samsung a bit.

IE 10 is years ahead of IE 9 but it's still in last place. No, people should not use it unless they have to. I'm building apps now that utilize Fullscreen API and Orientation events and oh, guess what, IE doesn't work. Here we go again -- the slow kid is holding the class back once more.

The root of the problem is IE's two year cycle. If Microsoft wanted to do their customers a favor, they could just include something like Chrome Frame with windows and call it IE 11.

What a weird, weird set of comments. Every comment that says anything bad about IE has received so many negative votes as to be auto-hidden from view. What the heck? I guess all of the negative votes are from pro-MS people suffering from stage-3 butthurt syndrome. Studies have shown that syndrome-induced downvoting only delays the onset of stage-4, but cannot prevent it. Please rescind all of your negative votes and go see a doctor.

Does anyone know if simply uninstalling Java would prevent this particular attack from occurring in the first place?

No, it won't do a thing. This attack doesn't use Java. Uninstalling Flash would likely prevent it, or using a secure browser such as Firefox for visiting pages that require Flash (i.E. uninstalling the Active X flash version and only leaving the Firefox Flash Plugin). Disabling JavaScript would probably also help in this particular case.